A computer network is a collection of interconnected computing devices that can exchange data and share resources. In a packet-based network, the computing devices communicate data by dividing the data into small blocks called packets, which are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form. Dividing the data into packets enables the source device to resend only those individual packets that may be lost during transmission.
A local network is a collection of interconnected computing devices serving a specific area, such as a business enterprise or office. Such local networks are often connected to an external public network, such as the Internet. Access to the public network comes with certain risks. For example, malicious users on the external network may pretend to be trustworthy and attempt to access the local network. In addition, malicious users may launch network attacks in an attempt disrupt the operation of devices on the local network.
To prevent such attacks, network administrators use various devices and techniques to restrict or monitor electronic traffic flowing between the public network and the local network. A firewall, for example, may be used to block packets addressed to certain computers and prevent unauthorized access to the local network. Other devices may be used to passively monitor traffic for suspicious behavior.
In some instances, the public network may be used as an intermediate network to transport encapsulated packets from a source device to a destination device within the local network. For example, the source device may establish a network “tunnel” to carry encapsulated packets to the destination device. Often packets or other data units that conform to one type of protocol are encapsulated within packets of another type of protocol (i.e., the tunneling protocol). In other words, the packets are transparently communicated through the intermediate public network via the tunnel. This technique may be especially useful when the intermediate network does not support the encapsulated protocol or when it is desirable to securely communicate the encapsulated packets through the public network.
One example of a tunneling protocol is the Generic Routing Encapsulation (GRE) protocol, which is a protocol for encapsulation of an arbitrary network layer protocol over another arbitrary network layer protocol. Another example is the set of Internet Protocol Security (IPsec) protocols that make use of cryptographic technology to establish secure network tunnels. These tunnels allow packets conforming to other network protocols, such as Internet Protocol (IP) packets, to be encapsulated within encrypted packet streams flowing through the public network.
The use of tunnels often presents a challenge in terms of network security. In particular, it is often difficult to detect security threats within the encapsulated packet streams. For example, often only the tunnel ingress and egress devices are involved in establishing the tunnel and, therefore, have knowledge of the tunnel and the encapsulation scheme used by the tunnel. As a result, it is difficult to analyze the encapsulated packets to determine whether the encapsulated packets carry a network attack.